Explanation: Use groups to assign permissions to IAM users Instead of defining permissions for individual IAM users, it's usually more convenient to creategroups that relate to job functions (administrators, developers, accounting, etc.), define the relevantpermissions for each group, and then assign IAM users to those groups. All the users in an IAM groupinherit the permissions assigned to the group. That way, you can make changes for everyone in agroup in just one place. As people move around in your company, you can simply change what IAMgroup their IAM user belongs to. http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#use-groups-for-permissions